DATABASE DECEPTION IN DIRECTORY SERVICES

US 20170171244A1
Filed: 12/10/2015
Published: 06/15/2017
Est. Priority Date: 12/10/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting unauthorized access of a network environment, the method comprising:

instantiating, by a security computer system, at least one first network service and executing the at least one first network service on the security computer system;

transmitting, by the security system, at least one first credential effective to authorize use of the first network service to a central server implementing an active directory service for a plurality of second network services implemented by one or more network servers in data communication with central server;

storing, by the central server, the one or more first credentials in a repository storing second credentials effective to authorize access to the plurality of second network services;

authenticating, by the central server, a first user;

determining, by the centrals server, that one of the second credentials authorizes the first user to access one of the second network services;

in response to determining that the one of the second credentials authorizes the first user to access the one of the second network services, instructing the one of the second network services to allow access by the first user;

authorizing, by the centrals server, a second user to access the at least one first network service using the at least one first credential;

in response to accessing of the at least one first network service by the second user, performing, by the security computer system

permitting access to the at least one first network service;

outputting an alert indicating that unauthorized access of the central server has occurred.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. In response to an attacker accessing the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert.

Citations

20 Claims

1. A method for detecting unauthorized access of a network environment, the method comprising:
- instantiating, by a security computer system, at least one first network service and executing the at least one first network service on the security computer system;
  
  transmitting, by the security system, at least one first credential effective to authorize use of the first network service to a central server implementing an active directory service for a plurality of second network services implemented by one or more network servers in data communication with central server;
  
  storing, by the central server, the one or more first credentials in a repository storing second credentials effective to authorize access to the plurality of second network services;
  
  authenticating, by the central server, a first user;
  
  determining, by the centrals server, that one of the second credentials authorizes the first user to access one of the second network services;
  
  in response to determining that the one of the second credentials authorizes the first user to access the one of the second network services, instructing the one of the second network services to allow access by the first user;
  
  authorizing, by the centrals server, a second user to access the at least one first network service using the at least one first credential;
  
  in response to accessing of the at least one first network service by the second user, performing, by the security computer system
  
  permitting access to the at least one first network service;
  
  outputting an alert indicating that unauthorized access of the central server has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - monitoring, by the security computer system, access of the first network service by the second user;
      
      generating, by the security computer system, a report of the access of the first network service by the second user; and
      
      outputting, by the security computer system, the report.
  - 3. The method of claim 1, wherein the security computer system is connected to first network domain coupled to the central server and the one or more network servers are connected to a second network domain coupled to the central server, wherein the first and second domains are configured to prohibit communication between the first network domain and the second network domain.
  - 4. The method of claim 3, wherein the first network domain is a virtual domain implemented among virtual machines executing on the security computer system.
  - 5. The method of claim 1, wherein the at least one first network service is a plurality of first network services, the security computer system executing a plurality of virtual machines, each first network service of the plurality of first network services being executed within one of the virtual machines of the plurality of virtual machines.
  - 6. The method of claim 1, further comprising:
    - periodically accessing, by the security computer system, the at least one first network credential; and
      
      updating, by the central server, an access log for the at least one first network credential in response to each accessing of the at least one first network credential.
  - 7. The method of claim 6, wherein periodically accessing, by the security computer system, the at least one first network credential comprises accessing the at least one first network credential from a simulated user account defined in a virtual machine executing on the security computer system.
  - 8. The method of claim 1, wherein the at least one first network service is an email server.
  - 9. The method of claim 1, wherein the at least one first network service is a database server.
  - 10. The method of claim 1, wherein the at least one first network credential is an administrator-level credential.

11. A system for detecting unauthorized access of a network environment, the system comprising:
- a security computer system including one or more first processing devices and one or more first memory devices coupled to the one or more first processing devices, the one or more first memory devices storing executable code effective to cause the one or more processing devices to;
  
  instantiate at least one first network service and executing the at least one first network service;
  
  transmit at least one first credential effective to authorize use of the first network service to a central server implementing an active directory service for a plurality of second network services implemented by one or more network servers in data communication with central server;
  
  authorize access by a first user in response to receiving an authentication communication from the central server referencing the at least one first credential;
  
  in response to the communication from the central server referencing the at least one first credential—
  
  permit access by the first user to the at least one first network service;
  
  output an alert indicating that unauthorized access of the central server has occurred.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the executable code is further effective to cause the one or more processing devices to:
    - monitor access of the first network service by the second user;
      
      generate a report of the access of the first network service by the second user; and
      
      output the report.
  - 13. The system of claim 11, further comprising:
    - a first network domain coupled to the central server, the security computer system in network communication with the central server through the first network domain;
      
      a second network domain coupled to the central server, wherein the first and second domains are configured to prohibit communication between the first network domain and the second network domain.
  - 14. The system of claim 13, wherein the first network domain is a virtual domain implemented among virtual machines executing on the security computer system.
  - 15. The system of claim 11, wherein the at least one first network service is a plurality of first network services, the executable code being further effective to cause the one or more processing devices to execute a plurality of virtual machines, each first network service of the plurality of first network services being executed within one of the virtual machines of the plurality of virtual machines.
  - 16. The system of claim 11, wherein the executable code being further effective to cause the one or more processing devices to:
    - periodically access the at least one first network credential effective to cause the central server to update an access log for the at least one first network credential in response to each accessing of the at least one first network credential.
  - 17. The system of claim 16, wherein the executable code being further effective to cause the one or more processing devices to periodically access the at least one first network credential by accessing the at least one first network credential from a simulated user account defined in a virtual machine executing on the security computer system.
  - 18. The system of claim 11, wherein the at least one first network service is an email server.
  - 19. The system of claim 11, wherein the at least one first network service is a database server.
  - 20. The system of claim 11, wherein the at least one first network credential is an administrator-level credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Das, Satya, Vissamsetti, Srikant

Granted Patent

US 9,942,270 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

DATABASE DECEPTION IN DIRECTORY SERVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DATABASE DECEPTION IN DIRECTORY SERVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links